b'Oversight Review          May 1, 2007\n\n            Review of the\n    Defense Contract Audit Agency\n        Quality Control System\n     (Report No. D-2007-6-006)\n\x0c  Additional Copies\n  To obtain additional copies of the final report, visit the website of the Department\n  of Defense Inspector General at www.dodig.mil/audit/reports or contact the Office\n  of Assistant Inspector General for Audit Policy and Oversight at (703) 604-8760 or\n  fax (703) 604-9808.\n\n  Suggestions for Audits\n\n  To suggest ideas for or to request future reviews, contact the Office of the Assistant\n  Inspector General for Audit Policy and Oversight at (703) 604-8760 (DSN\n  664-8760) or fax (703) 604-9808. Ideas and requests can also be mailed to:\n\n                                     OAIG-APO\n                       Department of Defense Inspector General\n                         400 Army Navy Drive (Room 1015)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nAICPA                 American Institute of Certified Public Accountants\nAUP                   Agreed-Upon Procedures\nCACS                  Contract Audit Closing Statement\nCAM                   Contract Audit Manual\nCAS                   Cost Accounting Standards\nDCAA                  Defense Contract Audit Agency\nDFARS                 Defense Federal Acquisition Regulation Supplement\nFAR                   Federal Acquisition Regulations\nGAS                   Government Auditing Standards\nGAGAS                 Generally Accepted Government Auditing Standards\nICSR                  Internal Control System Review\nODC                   Other Direct Costs\nPCIE                  President\xe2\x80\x99s Council on Integrity and Efficiency\n\x0c\x0cAppendix A. Comments, Observations, and\n            Recommendations\nWe determined that the DCAA quality control system is adequately designed and\nfunctioning as prescribed. 1 The concerns we identified with the findings, conclusions, or\nrecommendations during our review of the selected DCAA assignments and associated\nreports were not cumulatively significant enough to indicate that material deficiencies\nexisted in the DCAA quality control system for complying with generally accepted\ngovernment auditing standards (GAGAS). Also, DCAA demonstrated that it\nimplemented internal procedures for monitoring its ongoing compliance with quality\ncontrol policies and procedures. Specifically, DCAA performed cyclical internal quality\nassurance reviews during the prior 3 years on forward pricing, internal control system,\nincurred cost, and \xe2\x80\x9cAll Other 2 \xe2\x80\x9d reviews and the general standards.\n\nAlthough the concerns we identified did not affect our overall opinion, DCAA could\nimprove its quality assurance program by assigning independent quality assurance\nauditors to review Field Detachment assignments, increasing coverage of internal control\nsystem reviews (ICSRs), and verifying audit office implementation of repeat\nnoncompliances. DCAA should also revise its guidance for attestation engagements on\ndesk reviews of incurred cost submissions under $15 million; contract audit closing\nstatement reviews; Agreed-Upon Procedures (AUPs) engagements; identification of\ncriteria; planning, risk assessment, and designing tests for fraud, illegal acts, violations of\ncontracts or grant agreements, and abuse; and documentation and reporting of sampling\nplans. Implementing the following recommendations would improve the quality control\nsystem and help maintain an adequate opinion.\n\nQuality Control and Assurance\n        1. Independent Internal Quality Assurance Review of Field Detachment\nOffices. From June 2005 through October 2006, the DCAA process for allowing\nauditors 3 from the Field Detachment quality assurance division to perform the overall\nheadquarters-led quality assurance reviews of selected Field Detachment offices did not\nprovide the needed independence for an internal quality assurance review. Originally,\nDCAA decided not to independently test the Field Detachment based on workload,\nsecurity considerations, and the fact that DCAA considers the Field Detachment Quality\nAssurance Division independent because it is separate from Field Detachment audit\noperations. During the DCAA first cycle of quality assurance reviews, as an alternative\nto our recommendation to have independent reviewers perform the Field Detachment\ninternal quality assurance review, DCAA added the requirement for the Deputy Director,\nDCAA, to select the offices for review and review the draft and review and sign the final\nmemorandums for record. However, during the second cycle of quality assurance\nreviews, the Deputy Director retired and in June 2005, the Director, Field Detachment,\n\n1\n    An adequate system that is functioning as prescribed equals an unmodified opinion as defined by the\n    President\xe2\x80\x99s Council on Integrity and Efficiency.\n2\n    \xe2\x80\x9cAll Other\xe2\x80\x9d reviews include Cost Accounting Standards and Disclosure Statement reviews, equitable\n    adjustments, terminations, defective pricing, and special reviews.\n3\n    The terms \xe2\x80\x9caudit\xe2\x80\x9d and \xe2\x80\x9cauditor\xe2\x80\x9d are used generically by both DCAA and the Government Accountability\n    Office to cover all types of evaluations done in accordance with GAGAS or individuals with titles other\n    than \xe2\x80\x9cauditor\xe2\x80\x9d who perform such reviews.\n\n\n\n                                                      1\n\x0cassumed the Deputy Director position. DCAA recognized that an independence issue\nexisted because the new Deputy Director had had overall management responsibility for\nthe Field Detachment. To resolve the independence issue, DCAA requested the required\nsecurity clearance for a headquarters quality assurance staff member. In December 2006,\nDCAA informed us that the clearance had been granted.\n\nOne independent reviewer on the headquarters-led internal quality assurance team is the\nminimum needed. Headquarters-led internal quality assurance reviews of audit offices in\nthe five regions are performed entirely by quality assurance staff from either headquarters\nor other regions. DCAA should revise the review process for Field Detachment so that it\nmore closely follows the same process for the regions, taking into account security\nconsiderations. This would require the Chief, Quality Assurance Division, Policy and\nPlans, to obtain the required clearances so that they can review and properly oversee the\nwork. Other quality assurance staff would also require clearances or access to\nunclassified Field Detachment work.\n\nDuring our review of the Field Detachment location, we found that all assignments\nperformed by the office were not classified; therefore, an uncleared headquarters quality\nassurance team member could review some assignments at certain Field Detachment\noffices depending on security requirements such as facility access. In the past, the\nDCAA Field Detachment has placed uncleared auditors in unclassified areas at locations\nwith classified work and provided them with unclassified assignments to perform while\nawaiting their security clearances. However, when allowing an uncleared quality\nassurance auditor access to unclassified assignments is too great a security risk, DCAA\nheadquarters should ensure that more than one headquarters or regional quality assurance\nauditor has the necessary clearances. Obtaining the required clearances can take more\nthan a year depending on the circumstances, and relying on one quality assurance auditor\nto work on all the reviews may not be practical. That individual may be promoted or\nrotated to a different position within several years, require an extended leave of absence,\nor encounter a personal independence issue that could require them to recuse themselves\nfrom a review. Therefore, DCAA headquarters should take additional steps so that more\nthan one independent quality assurance auditor can be assigned to each headquarters-led\nquality assurance review of Field Detachment assignments.\n\nRecommendations, Management Comments, and DoD IG Response\n       1. The Director, Defense Contract Audit Agency should revise the\nheadquarters-led quality assurance review process and obtain the needed security\nclearances and billets so that:\n\n              (a.) the Chief, Quality Assurance Division, Policy and Plans, has the\n       required clearance(s) for access to Field Detachment work, and\n\n              (b.) more than one headquarters or regional quality assurance\n       auditors can participate in the headquarters-led internal quality assurance\n       reviews of Field Detachment offices.\n\nManagement Comments. The DCAA Assistant Director for Policy and Plans partially\nconcurred with the recommendations. DCAA agreed to have a second member of the\nHeadquarters, Quality Assurance Division staff obtain the necessary security clearance\nbut disagrees with the recommendation that the Chief, Quality Assurance Division,\nshould obtain a security clearance for access to Field Detachment audit work.\n\n\n\n                                             2\n\x0cDoD IG Response. We accept the DCAA proposed action as partially meeting the intent\nof the recommendations. However, DCAA should reconsider its nonconcurrence to\ngetting the Chief of the Quality Assurance Division the necessary clearances to properly\nsupervise the quality reviews of the Field Detachment. Proper supervision requires the\nsupervisor have access to the same data the auditor saw.\n\n         2. Quality Assurance Program Coverage of Internal Control System\nReviews. DCAA reduced its coverage of ICSRs to an inappropriate level during its\nsecond cycle of headquarters-led quality assurance reviews by selecting significantly\nfewer offices and assignments for review. During the first cycle, DCAA reviewed a total\nof 84 ICSRs at 18 audit offices. For the second cycle, DCAA reviewed 36 ICSRs at\n6 offices and 10 estimating system reviews at 10 additional audit offices for a total of\n46 ICSRs. The first cycle coverage was based on the number of ICSR assignments\nperformed. For the second cycle, DCAA based the number of ICSRs reviewed on the\ndirect audit hours charged to system reviews, not including estimating, as a percentage of\ntotal direct hours charged. DCAA auditors charged 8.5 percent of the total direct hours\nto ICSR assignments in FY 2003 versus 5.6 percent of total direct audit hours in FY\n1999. 4 Even though the percent of direct hours charged to ICSRs increased, the second\ncycle quality assurance reviews covered only half the number of assignments reviewed\nduring the first cycle. Other than for estimating system reviews, the quality assurance\nreview process did not cover enough audit offices to provide assurance that a deficiency\ndid not exist across the agency unless the deficiency was so severe that it occurred at\nalmost all offices. Additionally, the second cycle review did not include a sufficient\nnumber of certain ICSRs to followup on previously identified deficiencies. For instance,\nin the first cycle, DCAA found that during the Indirect Cost and ODC [Other Direct\nCosts] System reviews the offices were not always adequately auditing the portion of the\nsystem relating to ODCs. DCAA determined that the standard program needed to be\nrevised. During the second cycle, the quality assurance review team only evaluated one\nIndirect Cost and ODC System review for compliance with GAGAS. One review is not\nsufficient to determine whether prior corrective actions have been effective.\n\nDCAA uses the ICSRs results as a major part of their risk assessment for all other work\nperformed at a major contractor. DCAA identifies 10 internal control systems that may\nbe appropriate to review at each major 5 contractor. In FY 2006, DCAA expended only\n6.4 percent of direct audit hours on performing ICSRs. However, during the same time\nperiod, DCAA used the results from ICSRs to assess risk when auditing $247 billion or\n72 percent of total FY 2006 dollars examined, on assignments for major contractors.\nDuring the FY 2006 external quality control system review, we identified 5 of 24 ICSRs\n(20 percent) reviewed where DCAA inappropriately opined on the adequacy of a\ncontractor\xe2\x80\x99s internal control system because of insufficient compliance testing or other\nevidence issues. Sufficient compliance testing during the ICSRs is essential for ensuring\nthat the appropriate amount of testing or review is performed on other assignments at the\nsame contractor. Therefore, DCAA should increase the number of audit offices and\nassignments reviewed during its quality assurance reviews of ICSRs and perform other\nmonitoring activities of ICSRs because inadequate ICSRs have a far-reaching effect on\nother DCAA work. A reasonable approach, considering resource restraints, would be for\nDCAA to double the number of offices reviewed during the second cycle while\nmaintaining the number of assignments reviewed at six per office. This approach should\nbroaden the overall coverage, but not increase the time spent reviewing each office.\n\n4\n    DCAA auditors charged more hours in FY 2003 (300,100) versus FY 1999 (264,401) to ICSRs.\n5\n    A major contractor is one with $90 million or more in auditable contract dollars.\n\n\n                                                        3\n\x0cRecommendation, Management Comments, and DoD IG Response\nRecommendation 2.\n\n       The Director, Defense Contract Audit Agency should provide the\nheadquarters Quality Assurance Division with additional staff so that at least\n12 audit offices and 72 internal control system reviews can be reviewed during the\nthird quality control cycle of internal control system reviews.\n\nManagement Comments. The DCAA Assistant Director for Policy and Plans partially\nconcurred with the recommendation. DCAA agreed that for the current round of the\nHeadquarters Quality Assurance Division reviews, they would expand their review of\nICSR assignments by increasing the number of FAOs and assignments reviewed based\non number of ICSR assignments performed by region and related to risk.\n\nDoD IG Response. We accept the DCAA proposed actions as satisfying the intent of the\nrecommendation.\n\n        3. Quality Assurance Program Followup on Repeat Noncompliances at\nAudit Offices. For its second cycle of headquarters-led internal quality control reviews,\nDCAA identified repeat noncompliances at 22 of 48 reviewed audit offices. DCAA\nconsidered agency-wide repeat noncompliances to be implementation issues, and,\ntherefore, headquarters quality assurance division was not involved in determining\nwhether the audit office had implemented effective corrective actions for the repeat\nnoncompliances. For 17 audit offices that DCAA rated \xe2\x80\x9csatisfactory\xe2\x80\x9d out of the 22 that\nhad repeat noncompliances, neither headquarters nor the region was required to perform\nany follow-up on the planned corrective actions. The headquarters Quality Assurance\nDivision did review the audit offices\xe2\x80\x99 comments to the trip reports and the proposed\ncorrective actions to ensure that the audit office planned to take additional actions beyond\nthose previously taken. Continued repeat noncompliances may indicate significant\ndeficiencies in the DCAA quality control system, and could negatively impact the overall\nopinion. Therefore either the regional or headquarters quality assurance team should\nverify that the audit offices properly implemented the planned corrective action and that\nit was effective.\n\nRecommendation, Management Comments, and DoD IG Response\nRecommendation 3.\n\n        The Director, Defense Contract Audit Agency should revise the existing\nheadquarters-led quality assurance review process starting with followup actions\nfor the second round so that either a regional or headquarters quality assurance\nstaff member would evaluate the effectiveness of corrective actions planned or\nimplemented by each audit office for all repeat noncompliances.\n\nManagement Comments. The DCAA Assistant Director for Policy and Plans partially\nconcurred with the recommendation. DCAA agreed to revise the Headquarters Quality\nAssurance process to require Regional Quality Assurance staff to evaluate the\neffectiveness of the corrective actions implemented by audit offices for repeat\nnoncompliances. DCAA plans to begin the new process for the third round of quality\nassurance reviews, which began in October 2006. However, DCAA will not apply the\nprocess to the corrective actions proposed for the second round of quality assurance\nreviews.\n\n\n                                             4\n\x0cDoD IG Response. Although the DCAA proposed action meets the intent of the\nrecommendation, we suggest DCAA reconsider their decision not to implement the\nprocess on the corrective actions proposed in the second round. Early identification of\nineffective corrective actions would allow time for reassessment and implementation of\nalternative actions.\n\n\nTypes of Attestation Engagements\n        4. Desk Reviews of Contractor Incurred Cost Submissions Under\n$15 Million. DCAA did not comply with GAGAS when performing incurred cost desk\nreviews as review-level engagements. The purpose of an incurred cost assignment is to\ndetermine whether the contractor complied with applicable laws, regulations, and\ncontract provisions when charging costs to the Government. GAGAS, however, does not\npermit auditors to perform a review-level engagement when determining whether an\nentity has complied with laws and regulations.\n\nDCAA must either perform the desk reviews as an examination or AUP engagement or\nnot state that a desk review was performed in accordance with GAGAS. DCAA\nperforms desk reviews on incurred cost submissions from contractors that have less than\n$15 million in auditable dollars and are considered low risk because DCAA did not\nidentify questioned costs on previous incurred cost assignments. For these contractors,\nDCAA performs an examination of their incurred cost submission only once every\n3 years. For the other 2 years, DCAA performs a limited review, issues a report\nproviding negative assurance, and states the review was performed in accordance with\nGAGAS. In FY 2006, DCAA auditors charged more than 33,500 hours to desk reviews\nand recorded $1.6 billion as dollars examined. DCAA should correct the noncompliance\nin a timely manner by either issuing guidance that conforms with GAGAS to the field on\nhow to perform or report on desk reviews or temporarily suspend performance of desk\nreviews until the GAGAS noncompliance issue is resolved.\n\nRecommendation, Management Comments, and DoD IG Response\nRecommendation 4.\n\n       The Director, Defense Contract Audit Agency should suspend the\nperformance of desk reviews until agency guidance on performing desk reviews is\nissued that complies with generally accepted government auditing standards.\n\nManagement Comments. The DCAA Assistant Director for Policy and Plans concurred\nin principle with the recommendation. DCAA issued guidance on April 11, 2007,\neffective immediately, requiring desk reviews be closed by issuing a memorandum that\ndoes not state the review was performed in accordance with GAGAS.\n\nDoD IG Response. We accept the DCAA actions as satisfying the intent of the\nrecommendation and commend DCAA on taking immediate corrective actions.\n\n        5. Contract Audit Closing Statement Assignments. DCAA did not comply\nwith the applicable GAGAS requirements when performing the six reviewed contract\naudit closing statement (CACS) assignments 6 because its CACS standard programs do\nnot prompt an auditor to perform key required audit steps. DCAA performs CACS\n6\n    For FY 2006, DCAA auditors charged approximately 1.7 percent of direct hours to CACS.\n\n\n\n                                                    5\n\x0cnormally as an examination, but for situations when a quick close-out is permissible,\nDCAA performs an AUP. For CACS performed as an examination, the standard\nprogram clearly states that the closing procedures are administrative in nature and DCAA\nshould have audited the costs in other assignments. Steps are included to reconcile the\nvoucher to either the audit files or the contractors records; however, a CACS assignment\nis still, generally, a summary or restatement of prior audit work that should have\ncomplied with GAGAS and does not itself actually comply with GAGAS as stated in the\nreport. For instance, the CACS standard program does not have steps to design\nprocedures to detect or identify potential fraud that is material to the assertion.\nAdditionally, because DCAA only issues a CACS report when cumulative allowable cost\nworksheets have not been prepared for the entire period of performance, apparently,\ncontracting officers do not require an opinion as provided in an examination report to\nclose out the contract. Under these circumstances, DCAA should revise its procedures to\nissue a report that specifies that the review was not performed in compliance with\nGAGAS. The report format should also be revised to eliminate any wording that might\nimproperly infer to the user otherwise.\n\nFor CACS performed as AUPs, the standard program does not include a step for the\nauditor to discuss performing an AUP with the contracting officer. Therefore, the auditor\ndoes not have to obtain the requestor\xe2\x80\x99s agreement with the planned procedures to be\nperformed or document that the requestor assumes the responsibility for the procedures\nand criteria. DCAA performs quick close out CACS assignments when they have not\naudited all the incurred costs, but the contracting officer is allowed by Federal\nAcquisition Regulations (FAR) to close out a contract prior to finalizing all the indirect\nrates. DCAA must confirm with the contracting officer that the contract is subject to\nquick close out and what procedures the contracting officer requires DCAA to perform.\nTherefore, for DCAA to perform these CACS as AUPs, they need to revise the standard\nprogram to require the auditor to perform and document these keys steps. DCAA could\nchoose to issue a report that specifically states the review was not done in compliance\nwith GAGAS and remove any standard wording that could confuse the user by inferring\nthat the auditor had performed a GAGAS compliant review.\n\nRecommendations, Management Comments, and DoD IG Response\nRecommendation 5.\n       The Director, Defense Contract Audit Agency should:\n\n              (a.) determine whether contract audit closing statement reviews\n       should be performed in compliance with generally accepted government\n       auditing standards, and, if so, what type of attestation engagement, and\n\n              (b.) revise the Contract Audit Manual guidance, standard audit\n       programs, pro forma reports, and training for performing contract audit\n       closing statements are revised based on that decision.\n\nManagement Comments. The DCAA Assistant Director for Policy and Plans concurred\nwith the recommendations and has initiated a study of their guidance on performing\nCACS assignments. DCAA intends to revise their guidance by October 2007, for the\nperformance of CACS assignments based on the results of the study. DCAA disagreed\nwith the conclusion that CACS assignments were not performed in compliance with\nGAGAS because GAGAS evidence standards provides for the reliance on the work of\nothers.\n\n\n                                            6\n\x0cDoD IG Response. We accept the DCAA actions as responsive to the intent of the\nrecommendations.\n\n        6. Agreed-Upon Procedures Engagements. In the majority of the 21 reviewed\nAUP engagements, 7 DCAA did not comply with key GAGAS or American Institute of\nCertified Public Accountants (AICPA) attestation standards as incorporated in GAGAS. 8\nNoncompliances with GAGAS identified in the AUP assignments reviewed included\nassignments that:\n\n      \xe2\x80\xa2    had no evidence that the requestor agreed to or accepted responsibility for the\n           procedures performed;\n      \xe2\x80\xa2    did not have the criteria appropriately defined;\n      \xe2\x80\xa2    did not define the procedures appropriately; and\n      \xe2\x80\xa2    did not comply with all the reporting requirements.\n\nIn three of the worst situations, the noncompliances were so significant that the related\nreports contained misleading, inaccurate, or incomplete information and, therefore,\nshould not have been issued.\n\nDCAA revised its guidance and required training based on its last two headquarters-led\nquality assurance reviews. However, DCAA needs to implement several additional\ncorrective actions so that agency auditors consistently comply with the GAGAS when\nperforming AUPs. In July 2004, to correct deficiencies identified by the DCAA\nheadquarters-led quality assurance team in performance of AUPs during the FY 2003\nquality assurance review of forward pricing audits, DCAA issued revised guidance on\nAUPs and required the audit offices to provide training using headquarters-developed\nAUP training materials. During its FY 2006 quality assurance review of \xe2\x80\x9cAll Other\xe2\x80\x9d\nassignments, DCAA again identified deficiencies in performance of AUPs, but they\nconsidered the deficiencies less significant than those from the first cycle quality\nassurance reviews. DCAA required all regional and Field Detachment management to\nestablish and submit to the Deputy Director for approval an appropriate quality control\nmonitoring process for planning, performing, and reporting AUPs by April 28, 2006. In\na November 9, 2006, memorandum, DCAA Headquarters provided training materials for\nRegional and Field Detachment office staff to assist them in their AUP monitoring\nefforts. The training was to be completed by January 31, 2007. In March 2007, DCAA\nhas issued a required AUP self-study course that auditors must take prior to performing\ntheir first AUP assignment.\n\nDCAA revised existing Contract Audit Manual (CAM) language and pro forma reports to\nmake them applicable to AUPs, but this resulted in inconsistent guidance that did not\nfully comply with GAGAS. For instance, DCAA guidance instructs auditors to revise\naudit reports by deleting the word \xe2\x80\x9caudit\xe2\x80\x9d and inserting the phrase \xe2\x80\x9capplication of agreed-\nupon procedures.\xe2\x80\x9d AUP reports should state that no opinion is provided and only present\nthe procedures performed and the results. DCAA guidance instructs the auditor that\n\n7\n    DCAA estimates that in FY 2006, auditors only charged 2 percent of direct audit hours to AUPs.\n8\n    GAGAS incorporates the AICPA general standard on criteria for attestation engagements and requires\n    auditors to also follow all the GAGAS general standards when performing work in compliance with\n    GAGAS. It also incorporates the AICPA field work and reporting standards for attestation engagements\n    and, as of when DCAA performed the reviewed audit assignments, all the AICPA Standards for\n    Attestation Engagements. Additionally, GAGAS provides additional field work and reporting standards\n    for attestation engagements performed in compliance with GAGAS.\n\n\n\n                                                      7\n\x0cwhen writing the results section of the report, they should describe the contractor books\nand records to which the agreed-upon procedures were applied and that the auditor\nshould provide appropriate explanatory notes. However, explanatory notes generally\ninclude far more information such as the contractor\xe2\x80\x99s basis for a cost, than is required for\nAUPs. For AUPs, the auditor should separately list each agreed-upon procedure and then\ndescribe the finding for that procedure. Therefore, the edit changes did not clarify the\nreporting guidance and pro forma report. Instead, auditors could easily become confused\nabout what they should do when performing AUPs. In another CAM section, the\nguidance discusses the GAGAS applicable to AUPs and uses poorly chosen words to\nconclude, \xe2\x80\x9cThe agreed-upon procedure engagements are not considered examinations\nbecause of limitations of the audit scope.\xe2\x80\x9d This statement infers that an auditor could\nstart an assignment as an AUP and then, by eliminating a scope limitation, make it an\nexamination. However, because the requestor assumes full responsibility for the\nadequacy of the procedures and the criteria, performing an AUP does not require the\nsame planning steps as an examination.\n\nDCAA should completely rewrite the guidance on AUPs to fully comply with GAGAS\nrequirements and consolidate all guidance, not including guidance on report content, in a\nseparate chapter or chapter section in its CAM. This would lessen the chance that\nauditors would confuse an AUP with other attestation engagements and facilitate auditor\ncompliance with GAGAS for AUPs. DCAA should also revise its pro forma audit report\nfor AUPs so that it specifically covers GAGAS required reporting elements for AUPs.\nThe current pro forma AUP report is a revised version of its other pro forma audit reports\nand, therefore, does not present the required information in as straight forward a manner\nas is possible. This, in turn, can confuse both the auditor drafting an AUP report and the\nrequestor who reads it.\n\nRecommendations, Management Comments, and DoD IG Response\nRecommendation 6.\n\n       The Director, Defense Contract Audit Agency should:\n\n             (a.) revise all guidance on performing agreed-upon procedures\n       engagements in a separate Contract Audit Manual chapter or section of a\n       chapter solely devoted to agreed-upon procedures engagements,\n               (b.) revise the agreed-upon procedures pro forma report so that it\n       complies with generally accepted government auditing standards and is\n       easily distinguished from other standard audit report formats,\n\n             (c.) identify and track all assignments performed as agreed-upon\n       procedures engagements in the agency management information system, and\n\n              (d.) require regional and Field Detachment management to monitor\n       on an ongoing basis agreed-upon procedures engagements to ensure that\n       they are performed in compliance with generally accepted government\n       auditing standards until the headquarters-led quality assurance review team\n       completes the third cycle reviews.\n\nManagement Comments. The DCAA Assistant Director for Policy and Plans concurred\nwith recommendation (a.) and plans to consolidate the DCAA guidance for AUPs, except\n\n\n                                             8\n\x0c\x0csimply \xe2\x80\x9cFAR, DFARS, or Applicable Agency FAR Supplement, and CAS [cost\naccounting standards].\xe2\x80\x9d For report writing, the guidance is similar to that for planning as\nshown in the pro forma attestation reports example. Both the FAR and DFARS are\nvoluminous; therefore, some further definition of the specific section(s) of FAR and\nDFARS is needed. When the auditor uses such general criteria in the planning document,\nthey must then include more defined criteria used related to specific tests or other steps in\nthe relevant working papers. To comply with other GAGAS requirements, including\nproper supervision and internal and external quality assurance reviews of the work, the\nauditor must identify the specific criteria used in the working papers and the report.\n\nSupervisors, internal quality assurance reviewers, and external reviewers should not\nassume that the auditor used the correct criteria. They must be able to verify the specific\ncriteria used to assess the work performed.\n\nRecommendations, Management Comments, and DoD IG Response\nRecommendation 7.\n\n      The Director, Defense Contract Audit Agency should revise the Contract\nAudit Manual to require auditors to identify the specific criteria actually used in the\nperformance of attestation examinations and reviews either on the planning\ndocument working paper or in the scope section of working papers.\n\nManagement Comments. The DCAA Assistant Director for Policy and Plans\nnonconcurred with the recommendation. DCAA did agree that applicable non-DoD\nregulations should be referenced in the report and working papers and issued policy in\nDecember 2006 to that effect. However, DCAA believes that their guidance, which\nrequires authoritative criteria (FAR, DFARS, CAS) used in audit procedures testing for\ncompliance be documented in the working papers and that specific provision of the\ncriteria (FAR 31.205-33) be documented in the case of noncompliance practices or costs\nquestioned, complies with GAGAS.\n\nDoD IG Response. DCAA needs to reconsider its position on this recommendation.\nGAGAS requires auditors to state the criteria to provide a context for evaluating evidence\nand understanding the findings. Without the criteria, supervisors, internal quality\nassurance reviewers, and external reviewers are unable to verify the specific criteria an\nAuditor used to assess the work performed, even if there are no noncompliance practices\nor costs questioned.\nFraud, Illegal Acts, Violations of Contracts or Grant\nAgreements, and Abuse\n        8. Planning, Risk Assessment, and Designing Tests. The six audit offices\nevaluated during our review did not implement the DCAA guidance for major contractors\nrequiring them to ask contractor representatives about their knowledge of fraud risks\nduring the annual audit coordination process. DCAA also expected its auditors to ask\nmanagement, audit committees, internal auditors, and other contractor personnel, as\ndeemed appropriate, about their views of fraud risks. DCAA added this requirement in\nJanuary 2004, to incorporate revisions that the AICPA made to its auditing standard on\nthe auditor\xe2\x80\x99s responsibility relating to fraud. An auditor should use the information\ngained from such inquiries to properly plan individual examination assignments by\ndesigning specific steps to detect material instances of potential fraud, illegal acts, or\nviolations of contract provisions. Therefore, the six audit offices did not fully comply\n\n\n                                             10\n\x0c\x0c\x0c\x0c\x0c\x0c\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\n\nCongressional Committees and Subcommittees, Chairman and Ranking\n  Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement\n  Committee on Oversight and Government Reform\nHouse Subcommittee on National Security and Foreign Affairs, Committee on Oversight\n  and Government Reform\nHouse Subcommittee on Information Policy, Census, and National Archives, Committee\n  on Oversight and Government Reform\n\n\n\n\n                                          17\n\x0cAppendix D. Defense Contract Audit Agency\nComments\n\n\n\n\n                     19\n\x0c20\n\x0c21\n\x0cFinal Report\n Reference\n\n\n\n\nAdded on\npage 7\n\n\n\n\n               22\n\x0c23\n\x0c24\n\x0c25\n\x0c26\n\x0c27\n\x0c\x0c'